For a SharePoint installation, this page recommends the following best practices and naming conventions for service accounts. In your deployment you many not need all these accounts. For example, if PerformancePoint will not be deployed then you will not need
the PerformancePoint service account.

Overview

The account name is arbitrary. But, ensure the length of the account is within the character limits (see below: SharePoint and Managed Service Accounts and SharePoint Service Account Character Length) and the name is short while at the same time descriptive
enough.

SP Farm

During User Profile Synchronization application provisioning needs to be local admin and have Log On Locally rights on the Server that will be hosting the UPS application

After UPS application provisioning remove the local admin privilege but keep the Log On Locally rights

After giving this account local admin and Log On Locally rights permissions, it is important that you logout and log back into the server (or restart the server)

SP Web Application

Web Application Pool Account

Used for:

Application pool identity for the main web application IIS website

Domain account

SP Services

SharePoint Web Services Application Pool Account

Used for:

Application pool identity for the SharePoint Web Services IIS website

Domain account

SP C2WTS

Claims to Windows Token Service Account

Used as the identity for theClaims to Windows Token Service account

Create this dedicate account if you plan to use Excel, Visio, PerformancePoint, or Office Web Apps Excel services.

Domain account

Local Admin on SharePoint Servers that will be running any of the following services:

Excel Services

Visio Service

PerformancePoint Service

Office Web Apps Excel Service

SP Cache Super User

Portal Super User

Used for:

Super user cache account

Domain account

This account requires Full Control access to the web application.

SP Cache Super Reader

Portal Super Reader

Used for:

Super reader cache account

Domain account

This account requires Full Read access to the web application.

SP Excel User

Excel Service Unattended Service Account

Used for:

Connecting to external data sources that require a username and password that are based on OS other than Windows for authentication

Domain account

SP Visio User

Visio Graphics Service Unattended Service Account

Used for:

Connecting to external data sources that require a username and password that are based on OS other than Windows for authentication

Domain account

SP PerformancePoint User

PerformancePoint Service Unattended Service Account

Used for:

Connecting to external data sources that require a username and password that are based on OS other than Windows for authentication

Domain account

SP My Site Application Pool Account

My Sites Application Pool Account

Used for:

My Site application pool

Domain account

If you are hosting My Site site collection under the same web application as other site collections, then you don't need this account. Create this account only if you are creating a dedicated web application of My Site site collection, in which case
you set the web application app pool account to this account.

SP Profile Synchronization

Synchronization Account

Used for:

Connecting to a directory service

User Profile Services to access AD

User Profile Services to run profilesynchronization

Domain account

This accounts requires Replicate Directory Changes in AD DS on the domain node

The Grant Replicate Directory Changes permission does not enable an account to create, change or delete AD DS object. It enables the account to read AD DS objects and to discover AD DS object that were changed in the domain.

SP Search Service

Search Service Account

Used for:

Windows user credentials for the SharePoint Search service

Domain account

SP Search Crawl

Default Content Access Account

Used for:

For Search service application to crawl content.

Domain account

This account must have read access to external or secure content sources that SharePoint will be crawling.

For SharePoint sites that are not part of the server farm, this account must explicitly be granted full read permissions to the web applications that host the sites

Project Server

If planning to deploy Project Server the following accounts and groups are required for least-privilege scenario

Accounts

PS Project

Project Server Service Application Application Pool Account

Database owner for content databases with the Web application

Read/write access to the associated Project Server Service Application database

Read permission on SharePoint_Config database

PS Project Report

Secure Store Target Application Account

This account provides the credentials needed for report viewers to view reports generated from data in the PWA database.

This account is used as part of the Secure Store Configuration

Add this account to the Report Authors Active Directory group

Permission:

Database datareader on PWA database

PS Workflow Proxy

Project Server Workflow Activities Account

This account is used to make Project Server Interface (PSI) calls associated with each workflow.

Configured as a Project Server user account, with the following permissions:

Global permissions:

Log On

Manage Users and Groups

Manage Workflow and Project Detail Pages

Category permissions:

Open Project

Save Project to Project Server

If using SharePoint Permission mode, add this account to the Administrators for PWA security group

Groups

PS Project Report Authors

Report Authors Group

AD security group - Global

Users in this group can create reports

If report authors will also be viewing reports, add this group to the Report Viewer Group

Permission: db_datareader on PWA database

PS Project Report Viewers

Report Viewers Group

AD security group - Global

Users in this group can view reports

This group is used as part of Secure Store configuration

That is, add the Secure Store account to this group

PS Project External Report Viewers

External Report Viewer Group

This account is optional

Users that do not have a PWA user account but require access to the Project Server BI Center to view reports

SharePoint and Managed Service Accounts

For SharePoint service accounts, do not create Active Directory Domain Services accounts that are Managed Service account or Virtual Service account. These two type of service accounts were introduced in Windows Server 2008 R2 and Windows 7. They are
not supported in SharePoint 2013.

For SQL Server services use Managed Service account, if using SQL Server 2012. Managed Service account is now supported in SQL Server 2012. For example, you can use MSA for the SQL Server Engine and SQL Server Agent. Use MSA for SQL Server accounts that
will not be used to login to the server. You can't use MSA to login to a server. The use of MSA for SQL Server services is considered as best practice. MSAs are limited to a total of 15 characters (this does not include the DOMAIN\ part). The following provides
a good reference on how to enable MSA (http://blogs.technet.com/b/rhartskeerl/archive/2011/08/22/sql-server-code-name-denali-adds-support-for-managed-service-accounts.aspx)

SharePoint Service Account Character Length

SharePoint service accounts (managed accounts) are limited to a total of 20 characters - including the Domain Name (for example Domain\SP_Name - total characters should be less than 20). This limitation is not imposed on SQL Server service accounts or
SharePoint's Setup User Account (ex: SPAdmin). But to be on the safe side, I would still follow the 20 to 25 character limit.